Re: Strange folder created

From: NeoSadist (neos@dist)
Date: 10/17/02 

From: "NeoSadist" <neos@dist>
Date: Thu, 17 Oct 2002 11:37:38 -0600

"Ho Chi Man Erio" <erio@netvigator.com> wrote in message
news:55c701c275e5$7f3d2770$37ef2ecf@TKMSFTNGXA13...
> Hi all,
>
> Do anyone experienced such a strange situation. I run a
> domain controller and Web server (w/ ASP.Net) on my Win
> 2000 server, recently I found that in the system root
> (e.g. C:\Winnt), some strange folder was created. How
> strange is that:
>
> 1. Located inside the system root, I just set the
> premission for administrators and system (Full control),
> aspnet_wp (R/W), Everyone (R).
>
> 2. The folders then auto-create after I log out the
> machine (or unattend) silently.
>
> 2. The folde was stricly ordered: 0-9A-Z(capitalized),
> totally 36 characters. the folder name are 16 character
> each, like "0123456789ABCDEF" or "FGHIJKLMNOPQRSTU", and
> the last is "UVWXYZ0123456789", totally 36.
>
> 3. The create time is not in order, usually complete
> it's "cycle" within 7 hours, and the folder contain
> nothing inside (0 byte).
>
> 4. I can delete these folders, and once I delete in the
> middle (e.g. the 1st character is "D"), it's order then
> was broken. Might be "EFGH...7890" (still in character
> order)
>
> 5. No other folders like these were found in elsewhere. No
> virus was detected (Using NAV with latest definition). No
> strange service found in the "Service".
>
> Could anyone answer me on it?

Uh, if I was in your shoes, and didn't know what was going on, I would do
the following:
First, I'd run a strict antivirus scan on the WHOLE LAN.
Then, I'd find something such as www.auditmypc.com and I'd search for
parasites and such annoyances. Also, microsoft baseline security analyzer
is a nice thing to use.
I'd also be sure that my WAN (internet) connection had a firewall, and that
firewall blocked any netbios (ports 137-139) in or out over the WAN.
Also, is your LAN all win2k operating systems? If so, I'd go into all local
security policies and change the lan manager authentication level to NTLM or
higher (not using LM).
Tell me what you find, reply to newsgroup please.

Relevant Pages

  • Re: Strange folder created
    ... It's a capable package and runs well on 2k Advanced Server so ... > Do anyone experienced such a strange situation. ... some strange folder was created. ... Located inside the system root, ...
    (microsoft.public.win2000.security)
  • Strange folder created
    ... Do anyone experienced such a strange situation. ... domain controller and Web server on my Win ... some strange folder was created. ... middle (e.g. the 1st character is "D"), ...
    (microsoft.public.win2000.security)
  • [NT] Windows 2000 Default Permissions Could Allow Trojan Horse Program
    ... Full access on the system root folder ... This situation gives rise to a scenario that could enable an attacker to ... The systems primarily at risk from this vulnerability would be ...
    (Securiteam)
  • Explorer disconnected shares
    ... I'm facing a strange issue when using explorer to create a file or a folder on a network share, it takes about 100 secs to complete. ... I ran a Wireshark and a Processmonitor and found that the ProcessExplorer displays a "DISCONNECTED" just after receiving the reply of the file creation, and waits a long time before trying to reconnect. ...
    (microsoft.public.windows.vista.networking_sharing)
  • Re: in which folder can you save a .CSV file?
    ... I am totally unfamiliar working with Outlook, ... that strange or what? ... - this way the csv files will show up listed in the folder. ... you can save csv files to anywhere you can save Excel files. ...
    (microsoft.public.excel.misc)